MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2ff2a7de2aa6b33ecf6f63f8e3e8c3fc977ec825036f9fb421064619670924f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adhubllka


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2ff2a7de2aa6b33ecf6f63f8e3e8c3fc977ec825036f9fb421064619670924f
SHA3-384 hash: 59a71d6e420eef02c16f73bf0cb84c064fdc766d60124b14a8e75344c828b1d1207173e8f8c3196514c3bcea2a09709e
SHA1 hash: 1fef641cf4e07924718b9291b80a055016167e9a
MD5 hash: 71852d35ddc0e13d2d830fcf6d185171
humanhash: bravo-spaghetti-purple-juliet
File name:file
Download: download sample
Signature Adhubllka
Create hunting rule
File size:600'576 bytes
First seen:2023-03-15 11:43:44 UTC
Last seen:2023-03-15 13:38:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:qWvI6TBH1eBUY2B8hKWbUzvKM6UAvFl7CYgaG54/LXg:fdlB8hKIUGJUAvFlOmQSLQ
Threatray 69 similar samples on MalwareBazaar
TLSH T18CD44AEC68BF9126F6ACED71CAC14517A3E08657320DFE1B52D20727060275AFCD629E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter jstrosch
Tags:.NET Adhubllka exe MSIL

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-15 11:47:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f51a7cb7-108f-4dff-886e-5d2d9ae6c0ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374512/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Changing a file
Moving a recently created file
Modifying an executable file
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system executable file
Setting browser functions hooks
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6411af853120829676f9906c/reports/0639d973-eaf6-44b5-b364-8f412423ff9a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a2ff2a7de2aa6b33ecf6f63f8e3e8c3fc977ec825036f9fb421064619670924f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRansomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f26ec2e7-1437-44ca-927b-910aeadbfbc7
Result
Threat name:
Cryptolocker
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1194077
Signature
Contains functionality to detect sleep reduction / modifications
Found potential ransomware demand text
Found ransom note / readme
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected AntiVM3
Yara detected Cryptolocker ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2ff2a7de2aa6b33ecf6f63f8e3e8c3fc977ec825036f9fb421064619670924f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ul7su7pcvjvth3hw6y7y4pumh7exp3ecka3pt62ccbsgdftqsjhq._file
Verdict:
malicious
Similar samples:
0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664
Adhubllka
22d7e40c7ecc7fabf7f7b562e2d476dd0697e0f0482ce646de7771b44c29b1e9
Adhubllka
26fdffa14128573dcdd5d3b64724677e98d7646b623d1e6a7af1a193cca483df
Adhubllka
5c90dc8a2bebed531a198159e4fc02c11aabf4a53eb6ce1036795db807e0fe44
Adhubllka
7177160e81c4ed90b8e6551d1dcb1877f697cbc9faa6b66f85976e2a4179154f
Adhubllka
8ecd99368b83efde6f0d0d538e135394c5aec47faf430e86c5d9449eb0c9f770
Adhubllka
a3cf60a275c70b3b79a12f40ef477ceacc35b66209856fafe770df228df08de4
Adhubllka
d7a78307889ab55af6a1475ef731eaf1b19524601e093220afa3830707ff4810
Adhubllka
dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7
Adhubllka
+ 59 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/230315-nv62msfa31/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Enumerates connected drives
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
39fd1fa696f3c1845a5c04f15b603d017d4ef9d0bab93a6bc2c1103c1dca7718
MD5 hash:
0bffb261ea28116e90286c5095367f2a
SHA1 hash:
9d35101e2631cae6c724fa20c101a0a1c2ee5adc
Detections:
win_adhubllka_auto
Create hunting rule
win_adhubllka_a0
Create hunting rule
Link:
https://www.unpac.me/results/6a8e7e14-0982-4217-ba9d-b03ef5d73bd5/
Parent samples :
850ec1ce3298fcef2f348858bb2406afa607c5e6f758e0150912cb092fa4e16d
7177160e81c4ed90b8e6551d1dcb1877f697cbc9faa6b66f85976e2a4179154f
a2ff2a7de2aa6b33ecf6f63f8e3e8c3fc977ec825036f9fb421064619670924f
SH256 hash:
e5030ce04da5c4992836526b2de4a92dd27685c90612d36cfe7f1cac06b41e4d
MD5 hash:
ad9c76795e268c49b3fb68fbc921bf38
SHA1 hash:
8f8fd1c60f5f665c8dfa1bb469556f590467e97a
Link:
https://www.unpac.me/results/6a8e7e14-0982-4217-ba9d-b03ef5d73bd5/
SH256 hash:
ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d
MD5 hash:
27f5124bf8f451bca8d8a15c73c4f521
SHA1 hash:
5fd557e109b8fd1c3b362b64f0ba9f1600c07211
Link:
https://www.unpac.me/results/6a8e7e14-0982-4217-ba9d-b03ef5d73bd5/
SH256 hash:
501eaccf83d66fe6737188dd0167069a75998aea1dc0a9c6a550864bd9f53024
MD5 hash:
486e9cc7cd428383e756fa49c843b1d5
SHA1 hash:
1608f74d237c4cfa3ee64a1f11f4283c562f3a1d
Link:
https://www.unpac.me/results/6a8e7e14-0982-4217-ba9d-b03ef5d73bd5/
SH256 hash:
173c1363c633a2bb9f1a51849502103f0f4cc9fd1fbc57803cf24e8f4d6b877a
MD5 hash:
f6880f60718011fb90f41335dd2432b4
SHA1 hash:
995388223a556a7c4f74ba9d9c290e5e4369d796
Link:
https://www.unpac.me/results/6a8e7e14-0982-4217-ba9d-b03ef5d73bd5/
SH256 hash:
c8b5e3f4eea6c7634087954f9e97f81e8a37b39aa303d4ff69f7b4780090464c
MD5 hash:
8e3889d7d370d4b115321f7a9ab7ee28
SHA1 hash:
654021db0bc22f08a8db1620d4d51a7ab751a809
Link:
https://www.unpac.me/results/6a8e7e14-0982-4217-ba9d-b03ef5d73bd5/
SH256 hash:
d9324b54f7c77e1d51fdea229cbb8903546e7ff75fde2f1291dc8932ab9920c0
MD5 hash:
5ec536038fadd9d7bd166aa6233b5048
SHA1 hash:
4787b9c41ade6ffd48c13aae0a99426cae895329
Link:
https://www.unpac.me/results/6a8e7e14-0982-4217-ba9d-b03ef5d73bd5/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/6a8e7e14-0982-4217-ba9d-b03ef5d73bd5/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/6a8e7e14-0982-4217-ba9d-b03ef5d73bd5/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/6a8e7e14-0982-4217-ba9d-b03ef5d73bd5/
SH256 hash:
a2ff2a7de2aa6b33ecf6f63f8e3e8c3fc977ec825036f9fb421064619670924f
MD5 hash:
71852d35ddc0e13d2d830fcf6d185171
SHA1 hash:
1fef641cf4e07924718b9291b80a055016167e9a
Link:
https://www.unpac.me/results/6a8e7e14-0982-4217-ba9d-b03ef5d73bd5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a2ff2a7de2aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2ff2a7de2aa6b33ecf6f63f8e3e8c3fc977ec825036f9fb421064619670924f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adhubllka

Executable exe a2ff2a7de2aa6b33ecf6f63f8e3e8c3fc977ec825036f9fb421064619670924f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2570340/
Cape
Cape
https://www.capesandbox.com/analysis/374512/

Comments